Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Thursday, May 26, 2011

Proposed amendments to ECPA would restrict disclosure of geolocation data

Legislation introduced last week for consideration by the Senate Judiciary Committee would update some of the provisions in the Electronic Communications Privacy Act of 1986 (ECPA) to extend legal protections on information collected and maintained by electronic communications service provider to include geolocation information. The bill, introduced by Judiciary Committee chairman and Vermont Senator Patrick Leahy as the Electronic Communications Privacy Act Amendments Act of 2011 (S.2011) adds geolocation information (such as GPS coordinates and cell site location information) to the types of data that government authorities cannot obtain from service providers without first getting a warrant. The bill explicitly defines geolocation information as, "any information concerning the location of an electronic communications device that is in whole or in part generated by or derived from the operation or use of the electronic communications device."

Leahy, who is cited as the original author of the ECPA in the press release announcing the introduction of the new bill, has spearheaded a campaign through his committee to highlight the many ways in which modern technology has developed beyond what the law was envisioned to cover. In a series of hearings dating from before the 2010 mid-term elections, the Judiciary Committee has heard testimony from a variety of stakeholders, including government, academic, judicial, and industry representatives. More recently, committee hearings have focused on privacy issues associated with GPS coordinates and other geolocation information collected automatically by many popular mobile devices, with or without the knowledge of device users. These issues, coupled with a series of inconsistent federal court rulings that tried to interpret ECPA to apply its terms to technologies and data types that didn't exist 15 years ago, have left a somewhat confusing picture regarding just what information is subject to privacy protections, under what circumstances, and with what level of legal and administrative constraints. If enacted as written, it would appear that the proposed amendments to the ECPA would resolve the ambiguity surrounding how geolocation data should be treated. The text of the bill would amend the sections of Chapters 119 and 121 in Title 18 of the U.S. code to prohibit the disclosure of such information by service providers and preventing government authorities from accessing an electronic device for the purpose of retrieving geolocation information.

The focus on geolocation data in the proposed amendment is understandable given the attention generated by news that Apple's popular iPhone devices stores a cache of location information that some have interpreted as potentially useful for tracking an individual's location over time. Of course, cellular service providers have long collected device location information as part of their routine business operations, leading to some legal debates over just who owns that information and, in particular, whether subscribers can assert privacy rights about that information. The proposed bill addresses this key issue and several related topics about information disclosure, warrant or subpoena requirements, and emergency exceptions. Still unaddressed are other provisions in ECPA and the Stored Communications Act language it contains that cover the contents of electronic communications generally, but are not explicitly intended to address the wide variety of communications media, smartphones, tablets, and other sophisticated technologies using the services and infrastructure that modern electronic service providers now offer.

No comments:

Post a Comment